Putting Privacy Settings in the Context of Use (danah boyd)

danah boyd illuminates an interesting privacy loophole in how Facebook allows users to view others’ photos. As she describes it:

A few days ago, Gilad’s eyes opened wide and he called me over to look at his computer. He was on Facebook and he had just discovered a privacy loophole. He had maximized his newsfeed to get as many photo-related bits as possible. As a result, he was regularly informed when his Friends commented on other people’s photos, including photos of people with whom he was not Friends or in the same network as. This is all fine and well. Yet, he found that he could click on those photos and, from there, see the entire photo albums of Friends-of-Friends. Once one of his Friends was tagged in one of those albums, he could see the whole album, even if he couldn’t see the whole profile of the person who owned the album.

There are multiple explanations for what is happening. This may indeed be a bug on the part of Facebook’s. It’s more likely a result of people allowing photos tagged of them to be visible to Friends of Friends through the overly complex privacy settings that even Gilad didn’t know about. Either way, Gilad felt as though he was seeing photos not intended for him. Likewise, I’d bank money that his kid sister’s Friends did not think that tagging those photos with her name would make the whole album available to her brother.

danah also notes how “Facebook’s privacy settings are the most flexible and the most confusing privacy settings in the industry”. This conundrum is what prompted me to draft instructions for students on “How to Change your Facebook Privacy Settings”. (Next I plan to make a YouTube video walking them through these various steps).

When I post a photo in my album, let me see a list of EVERYONE who can view that photo. When I look at a photo on someone’s profile, let me see everyone else who can view that photo before I go to write a comment.

This echoes many of the suggestions made by Kathy Dwyer in her recent presentation at AoIR on “Designing Privacy Into Online Communities”.